Trickster

This application poses a simple (yet tricky) file upload challenge that is chained to RCE.

The application allows a user to upload a PNG file. It then checks if it is a valid PNG or not. If it is, it accepts the file

memory map:

1. The application must be uploading this file somewhere

2. We need to figure out the uploaded directory

3. We need to figure out a legit bypass

4. We need to chain the file upload to another vulnerability that can provide access to the flag.

So, I inspected the robots.txt file and saw the disallowed entry "uploads/". Also, instructions.txt

As we can see, the instructions file gives us a hint.

Observations:

1. When I upload a legit PNG file, I can access it under /uploads/name.png

2. Upon uploading a non-PNG file I get this error:

   
3. I tried the double extension bypass:

   

The bypass doesn't happen properly even though the file does contain a PNG extension.

Upon inspecting the file type it is an ASCII text. Perhaps this is where we have to utilize the magic bytes phenomenon that instructions.txt told us about. Let's put some magic bytes in this and make it a legit PNG file.

Here, we see that the website is not saying "It's not a valid PNG file" rather it is giving a different error "File name does not contain '.png'"

So, I rename the file to "shell.png.php" so that .png is there in the filename somewhere!

shell.png.php

As I can see, the file we uploaded is being processed here

Let's try our RCE

We can see that RCE works!

1. Unlike other challenges, I searched a lot but couldn't find flag.txt. I looked at the available binaries (using ls /bin command) and find/locate weren't there

2. I looked around in the apache directory and found the flag!